بسم الله والصلاة والسلام على رسول الله
اللهم علمنا ما ينفعنا وانفعنا بما علمتنا وقنا عذاب النارInsecure Direct Object Reference (IDOR) is a type of Broken Access Control vulnerability where an application exposes direct references to internal objects (such as user IDs, records, or files) without properly validating authorization
Simple IDOR Example : 1- Assume the following URL:
https://example.com?userID=2The authenticated user Anas has userID=2. If Anas manually changes the parameter to
https://example.com?userID=3and the application returns data belonging to another user, this means the application does not properly verify authorization
PortSwigger Lab
We will solve an IDOR lab on PortSwigger to understand the vulnerability from the Red Team perspective first, before moving into the Blue Team analysis, in order to achieve a more effective and deeper understanding.
As shown in the lab, I currently have valid credentials for the user wiener. Using this account, I attempt to access sensitive information belonging to another user, carlos.
If the application is vulnerable to IDOR, it will return Carlos's data without properly verifying that the authenticated user (wiener) is authorized to access it.
change from wiener to carlos manually :
i get the api key of carlos account
we can do it by using :BurpSuite"
i edited manually the id from wiener to carlos
Why IDOR Is Dangerous
- Allows unauthorized access to sensitive data
- Common in APIs and backend services
- Often invisible without proper authorization logging
- Can lead to data leakage, privacy violations, and compliance issues
IDOR Attempt Logs
2025-12-21 10:21:01 GET /profile?id=1 HTTP/1.1 200 src_ip=185.44.21.10 user=wiener
2025-12-21 10:21:02 GET /profile?id=2 HTTP/1.1 302 src_ip=185.44.21.10 user=wiener
2025-12-21 10:21:03 GET /profile?id=3 HTTP/1.1 302 src_ip=185.44.21.10 user=wiener
2025-12-21 10:21:04 GET /profile?id=4 HTTP/1.1 302 src_ip=185.44.21.10 user=wiener
2025-12-21 10:21:05 GET /profile?id=5 HTTP/1.1 302 src_ip=185.44.21.10 user=wiener
2025-12-21 10:21:06 GET /profile?id=6 HTTP/1.1 302 src_ip=185.44.21.10 user=wiener
2025-12-21 10:21:07 GET /profile?id=7 HTTP/1.1 302 src_ip=185.44.21.10 user=wiener
2025-12-21 10:21:08 GET /profile?id=8 HTTP/1.1 302 src_ip=185.44.21.10 user=wiener
2025-12-21 10:21:09 GET /profile?id=9 HTTP/1.1 302 src_ip=185.44.21.10 user=wiener
2025-12-21 10:21:10 GET /profile?id=10 HTTP/1.1 200 src_ip=185.44.21.10 user=wiener
Why SOC Flagged This as IDOR
1- Sequential ID enumeration (id=1 → id=10)
2- Same authenticated user and same IP
3- many requests returns 302
4- Time difference between requests is ~1 second (automation pattern)
5- No access control rejection (403) observed
IDOR Mitigation — Blue Team Approach
1- Enforce Object-Level Authorization : Every request that references an object must verify that the authenticated user is authorized to access that specific object
2- Deny by Default : Access should be denied unless explicitly allowed. If ownership or permission cannot be verified, return 403 Forbidden
3- Avoid Direct Object References : Use indirect references such as: UUIDs , Tokenized object identifiers , Mapping tables (user ↔ object) This reduces the risk of predictable enumeration
4- Add Rate Limiting & Behavioral Detection : Apply rate limits on sensitive endpoints and monitor for Sequential object access High request frequency from authenticated users
سبحانك اللهم وبحمدك, أشهد أن لا إله إلا أنت, نستغفرك ونتوب إليك